逆WIN7X64内核调试体系之NtDebugActiveProcess
来源:互联网 发布:淘宝整机哪家靠谱 编辑:程序博客网 时间:2024/04/29 17:00
NTSTATUS __fastcall proxyNtDebugActiveProcess(HANDLE ProcessHandle, HANDLE DebugObjectHandle){
PMY_OBJECT_TYPE object;
PMY_OBJECT_TYPE debugobject;
OBJECT_HANDLE_INFORMATION objecthandleinformation;
NTSTATUS status;
PETHREAD LastThread;
status=ObReferenceObjectByHandle(ProcessHandle, 0x800, PsProcessType, UserMode, &object, &objecthandleinformation);
if (NT_SUCCESS(status)){
if (object == PsGetCurrentProcess() || object == PsInitialSystemProcess){
ObfDereferenceObject(object);
status = STATUS_INVALID_HANDLE;
}
}
status = ObReferenceObjectByHandle(DebugObjectHandle, 0x2, NewDbgObject, UserMode, &debugobject, &objecthandleinformation);
if (!NT_SUCCESS(status)){
status = STATUS_INVALID_HANDLE;
ObfDereferenceObject(debugobject);
ObfDereferenceObject(object);
}
else{
if (ExAcquireRundownProtection((PEX_RUNDOWN_REF*)(object + 376))){
((pfnDbgkpPostFakeProcessCreateMessages)DbgkpPostFakeProcessCreateMessages)(object, debugobject, &LastThread);
((pfnDbgkpSetProcessDebugObject)DbgkpSetProcessDebugObject)(object, debugobject, status, LastThread);
}
else{
status = STATUS_PROCESS_IS_TERMINATING;
}
ExfReleaseRundownProtection((PEX_RUNDOWN_REF*)(object + 376));
}
return status;
}
今天先发一个
PMY_OBJECT_TYPE object;
PMY_OBJECT_TYPE debugobject;
OBJECT_HANDLE_INFORMATION objecthandleinformation;
NTSTATUS status;
PETHREAD LastThread;
status=ObReferenceObjectByHandle(ProcessHandle, 0x800, PsProcessType, UserMode, &object, &objecthandleinformation);
if (NT_SUCCESS(status)){
if (object == PsGetCurrentProcess() || object == PsInitialSystemProcess){
ObfDereferenceObject(object);
status = STATUS_INVALID_HANDLE;
}
}
status = ObReferenceObjectByHandle(DebugObjectHandle, 0x2, NewDbgObject, UserMode, &debugobject, &objecthandleinformation);
if (!NT_SUCCESS(status)){
status = STATUS_INVALID_HANDLE;
ObfDereferenceObject(debugobject);
ObfDereferenceObject(object);
}
else{
if (ExAcquireRundownProtection((PEX_RUNDOWN_REF*)(object + 376))){
((pfnDbgkpPostFakeProcessCreateMessages)DbgkpPostFakeProcessCreateMessages)(object, debugobject, &LastThread);
((pfnDbgkpSetProcessDebugObject)DbgkpSetProcessDebugObject)(object, debugobject, status, LastThread);
}
else{
status = STATUS_PROCESS_IS_TERMINATING;
}
ExfReleaseRundownProtection((PEX_RUNDOWN_REF*)(object + 376));
}
return status;
}
今天先发一个
0 0
- 逆WIN7X64内核调试体系之NtDebugActiveProcess
- 逆WIN7X64内核调试之NTCreateDebugObject
- 内核调试之dump_stack
- Linux 内核调试之 printk
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- 使用kgdb调试内核之模块调试
- Windbg内核调试之三: 调试驱动
- 内核调试 之 搭建qmeu 调试环境
- 在Win7x64上加载无签名驱动以及让PatchGuard失效(Win7x64内核越狱)
- 在Win7x64上加载无签名驱动以及让PatchGuard失效(Win7x64内核越狱)
- Linux内核体系架构
- Linux内核体系简介
- Linux内核体系架构
- linux内核系统体系
- WinDbg : 在Win7X64中调试x86应用层程序
- 对现有的所能找到的DDOS代码(攻击模块)做出一次分析----CC篇
- viewController的加载顺序
- asp.net下调用Matlab生成动态链接库
- 对现有的所能找到的DDOS代码(攻击模块)做出一次分析----GET篇
- Java反射机制详解
- 逆WIN7X64内核调试体系之NtDebugActiveProcess
- 对现有的所能找到的DDOS代码(攻击模块)做出一次分析----ICMP篇
- 大话西游
- 对现有的所能找到的DDOS代码(攻击模块)做出一次分析----UDP篇
- noip2011 数字反转 (模拟)
- 第三周项目三 求集合并集
- 对现有的所能找到个DDOS代码(攻击模块)做出一次分析----TCP篇
- 美解决doc、docx格式word转换为Html
- Tju 1003 Transportation
